Data Protection policy

Our Data Protection policy and eight key principles

Data Protection policy statement

Girlguiding conforms to the requirements of the Data Protection Act 1998 when storing personal data on its membership systems. It is the policy of Girlguiding that all personal information will be used for guiding purposes and only passed outside the organisation with consent from Girlguiding’s Data Controller. 

Policy and legislation

A detailed copy of the Girlguiding Data Protection Policy can be found here.

Any breach of this policy will result in withdrawal of membership and could lead to criminal prosecution under the Data Protection Act 1998.

Additional guidance for websites, property and paid staff can be found here.

Principles of data protection

There are eight key principles to data protection.


1: Personal data must be processed fairly and lawfully

This means that an individual whose personal data is collected has given their consent, and understands it will be kept and used in guiding. In guiding, consent must be given electronically via Join Us enquiries or a signature from a parent on the Starting form or Starting report. Those responsible for the management of data at any level must use the systems provided:

  • Enquiries – Join Us
  • Membership – Go!
  • Recruitment – Recruitment site 
  • Subscription – Subscription site
  • Purchasing - Girlguiding online shop

Further information about these systems can be found here.

2: Data should be obtained only for one or more stated and lawful purposes and must not be processed in any way incompatible with those purposes

This means that the information collected from potential members and members should only be collected and used for the purposes of the delivery of good and safe guiding.

3: Data must be adequate, relevant and not excessive in relation to the purposes for which they are processed

This means that only the information needed to ensure members of all ages feel safe and supported can be kept. This information should be objective and not subjective.

4: Data should be accurate and, where necessary, up to date

This means the Unit Leaders must check regularly with parents or the young member themselves (if they are over 14 years of age) that the data is correct and up to date. This is achieved by running the individual details report for each member or Go! sharing it with the parent or young person and asking them to confirm the information is up to date. Once confirmation is received then the paper document should be destroyed by shredding or burning.

5: Data shall not be kept for longer than is necessary for the purposes for which it is processed

This means that personal data such as emergency contact reports, permission forms etc. should be destroyed immediately after the event they needed for. The only exception is health forms where some form of intervention has been needed in which case the form should be retained securely for 3 years and then destroyed by shredding or burning.

6: Data must be processed in accordance with the rights of data subjects

This means that members, or the parents of members, have the right to request any information held on them by Girlguiding. This includes system records, emails, SMS text scripts, voice recording or any form a data that can be linked back to the individual. They can request this information either directly from Girlguiding using the SAR Request form that can be found below or via the Information Commissioners Office (ICO) be submitting a Subject Access Request. All requests should be sent to the Data Controller for reply.

7: The data controller must take appropriate security measures

This means that Girlguiding ensures that the security of the Membership Systems meets industry standard and regularly tests to ensure they are safe from external infiltration.

8: Data must not be transferred to a country or territory outside the European Economic Area (“EEA”)

Unless, there are adequate levels of protection for the rights and freedoms of data subjects in relation to the processing of data. 

This means you cannot transfer any data outside of the EEA without the approval of the Girlguiding Data Controller has been obtained. This would usually be for the purposes of sharing information with other members of the World Association of Girl Guides and Girl Scouts.

Published: 8 September 2016